Overview

This hotfix release includes an update from CMS Recipe 4.4.0 to 4.4.6, and from UserForms 5.4.1 to 5.4.2. Links to changelogs for each included version of the CMS Recipe can be found below.

Upgrading to Recipe 2.3.3 is recommended for all CWP sites. This upgrade can be carried out by any development team familiar with Silverstripe CMS. However, if you would like Silverstripe's assistance, you can request support via the Service Desk.

Security considerations

This release includes security fixes. Please see the release announcements for more detailed descriptions of each. We highly encourage upgrading your CWP projects to include these security patches.

Upgrading instructions

In order to update an existing site to use the new CWP recipe the following changes to your composer.json can be made:

"require": {
    "cwp/cwp-recipe-core": "2.3.3@stable",
    "cwp/cwp-recipe-cms": "2.3.3@stable",
    "silverstripe/recipe-blog": "1.3.3@stable",
    "silverstripe/recipe-form-building": "1.3.3@stable",
    "silverstripe/recipe-authoring-tools": "1.3.3@stable",
    "silverstripe/recipe-collaboration": "1.3.3@stable",
    "silverstripe/recipe-reporting-tools": "1.3.3@stable",
    "cwp/cwp-recipe-search": "2.3.3@stable",
    "silverstripe/recipe-services": "1.3.3@stable",
    "silverstripe/subsites": "2.3.1@stable",
    "tractorcow/silverstripe-fluent": "4.2.1@stable",
    "cwp/starter-theme": "3.0.0@stable"
},
"prefer-stable": true

Change Log

Security

  • 2020-03-31 3bbad20 Task for shifting UserForm uploads into correct folders (Serge Latyntcev) - See cve-2020-9280
  • 2020-02-12 d515e5e XSS through non-scalar FormField attributes (Serge Latyntcev) - See cve-2019-19325
  • 2020-02-03 ad1b00ec7 XSS through non-scalar FormField attributes (Serge Latyntcev) - See cve-2019-19325
  • 2019-09-23 8b7063a8e Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See cve-2019-12617
  • 2019-09-16 eccfa9b10 Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
  • 2019-08-20 f98a59de install.php warning does not account for public dir (Aaron Carlino) - See cve-2019-12204
  • 2019-08-17 8c7a719 Broken access control on files due to session grant (Aaron Carlino) - See cve-2019-14273
  • 2019-06-05 3c1dd6b Cross Site Request Forgery (CSRF) Protection Bypass (Aaron Carlino) - See cve-2019-12437
  • 2019-06-05 32b727e Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL (Aaron Carlino) - See cve-2019-12437
  • 2019-05-21 73e0cc6 Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See cve-2019-12245

Bugfixes

  • 2019-05-27 d7c76ec Preview email link now handles cases where it's loaded in the browser, requested via AJAX and used in a trait or a page context (#887) (Guy Marriott)
  • 2019-05-20 f4cd7a3 Allowed text length fields now align correctly with each other (#886) (Guy Marriott)
  • 2019-05-17 483fbc8 Preview email link now handles cases where it's loaded in the browser, requested via AJAX and used in a trait or a page context (Robbie Averill)
  • 2019-05-17 d0e937a Allowed text length fields now align correctly with each other (Robbie Averill)
  • 2019-05-16 181e0de Multi page userforms now display their step titles, which were previously broken (Robbie Averill)

Other changes

  • 2019-05-17 d141c83 Import missing PHPDoc doc blocks, switch intval() for (int) casting (Robbie Averill)
  • 2019-05-09 5758075 Update translations (Robbie Averill)

Was this article helpful?